Technical scribble…..

I ran into an issue today on Windows Server 2012R2 where AppLocker was blocking logon & logoff scripts despite the sysvol folder being in the allowed policy. The documentation indicates that allowing the following folder should be enough:\\domain.com\sysvol\domain.com\policies\*

This isnt the case, you actually need the NETLOGON folder too:\\domain.com\NETLOGON\*

And in my instance I was forced to explicitly include the domain controllers also:\\DomainController1\NETLOGON\*
\\DomainController2\NETLOGON\*

Although potentially you could try using logonserver instead to futureproof the rule:%LOGONSERVER%\NETLOGON\*

I was installing ESXi 5.5 onto a USB stick today, something I have done hundreds of times. The install went fine, however no matter what I tried in the bios it just wouldn’t boot. Turns out, the server (in this case a HP DL380 G8) had no support for UEFI. Since ESXi5.5 installs as GPT by default this was never going to boot. The solution is to force the ESXi install to use MBR (were not going to make use of the GPT advantages on a 4GB USB stick anyway):

Boot from ESXi install media

Hit SHIFT+O when prompted

Enter "runweasel formatwithmbr" then hit enter to continue with the installer. (Note the word runweasel is already there, you just need to type <space> formatwithmbr.

I’ve recently had the pleasure of implementing Veeam Backup & Replication v8 as a direct replacement for BackupExec 2012/2014 vRay edition. BackupExec 2012 was a terrible product, which is such a shame considering how good its Veritas predecessor was. BackupExec 2014 was just as bad; its low reliability and poor usability create a huge support overhead and make RTO/RPO goals unachievable. I think Symantec approached VM backups from the wrong angle; by indexing and cataloging all data within the VM at the point of backup, your backup jobs take longer and are more prone to failure, therefore it becomes difficult to fit everything within your backup windows. Veeam keeps things simple and just uses the inbuilt ESXi snapshot capabilities – backups are therefore quick and the danger of agent/application based failures is removed. Here is a quick summary of my experience with Veeam:

Pros:

VEEAM It just works! I can’t count the amount of times those words have been shouted across my office. Seriously, this software is reliable. I have yet to see a backup job failure other than when hardware was at fault.

It is truly agentless. There is nothing to install on the VM which makes roll-out much quicker and reduces ongoing support effort.

For some time now, I’ve been exploring the best ways of configuring a distributed Nagios setup. With the “federated” configuration that Nagios recommend, you can pass data from remote Nagios instances back to a central Nagios server with the use of passive checks combined with NSCA or NRDP. Whilst this works well, the duplicate configuration on each server soon becomes tedious and unmanageable. There are other alternatives such as mod_gearman but in my opinion these lack the intelligence to be effective.

The ability to have centralised configuration in a distributed setup isn’t currently supported by Nagios, therefore I have shifted my focus towards centralised reporting, where data is aggregated from several independent Nagios instances to a centralised location. This provides the benefits of multiple Nagios instances at remote sites but without the overhead and complexity associated with duplicating the configuration. There are quite a few tools offering centralised reporting, such as Nagios Fusion and Thruk, but my favorite by far is checkmk multisite.

Recently whilst troubleshooting a vSphere cluster issue, I had to align the firmware and driver on each ESXi host in the cluster. The following commands help to gather the required information. Of course you could easily create a PowerCLI script to cycle through each host and run these commands if you are inclined:

If you use Sinetica Hawk-I or RacKMS to manage/monitor your datacentre cabinets, I’ve created a Nagios plugins to monitor each of the sensors (temperature/humidity etc). You can grab check_cab over at Nagios Exchange.

Its useful to configure your VCSA as a network dump collector for when your ESXi hosts experience a PSOD, just make sure that the “ESXi Dump Collector” service is running on your VCSA. The host configuration via ESXCLI is as follows:

Goodbye initd, systemd is here! Systemd brings a lot of benefits such as parallel startups and enhanced troubleshooting but sure does takes some getting used to when you have been working in a completely different way for your entire Linux life! Systemd is now shipping with CentOS7 and most of the other major distros, so its time to learn!

I always find Java Keystores a total ballache to work with, would rather manage individual PEM files any day of the week. If you need to export the contents for use with something else you can use the following commands: